GSA Blog

GSA Blog Logo
Photo of computer with cybersecurity lock

Are We Federated Yet?

| Ken Myers, Chief Federal ICAM Architect, GSA Office of Governmentwide Policy Identity and Trusted Access Division
Post filed in: cybersecurity

GSA’s Office of Government-wide Policy is pleased to announce a new Enterprise Single Sign-on Playbook. This playbook is for identity program managers and enterprise and application architects interested in modernizing their agency’s access management systems for internal or external applications. Single sign-on, or SSO, allows agencies to centralize application access for employees and contractors, ultimately allowing for federated access with other federal executive agencies.

This playbook outlines five steps for implementing an enterprise SSO service and helps agencies answer the question: “Are we federated yet?”

  1. Gaining enterprise support 
  2. Planning application integration 
  3. Preparing SSO service integration 
  4. Integrating applications 
  5. Federating application access

Defining “Federation”

Federation may have different meanings in different circles. In Federal Identity Credential and Access Management (FICAM), federation is the sharing and acceptance of digital identities, attributes, and credentials between federal agencies. SSO leverages the same patterns, tools, and techniques to share and accept digital identities with agencies and federal applications.

What Are the Benefits of SSO?

SSO enables end users to log in to multiple applications using multi-factor authentication options and extends capabilities for applications that don’t natively support multi-factor authentication. Other benefits include: 

  1. Better support for IT modernization and cloud adoption projects
  2. Better support for your remote workforce
  3. Improved user experience
  4. Reduction of identity-related help desk tickets
  5. Improved security posture

Why Is SSO Important?

SSO centralizes access to agency applications and underlying data. Without a centralized mechanism, each application must perform its own user lifecycle management, which includes removing access in a timely manner when an employee departs an agency. If identities are  compromised, SSO acts as a launching point for further lateral movement of bad actors in an application or agency network. Although SSO doesn’t prevent compromises from happening, centralizing access with SSO gives agencies consistent security controls, including multi-factor authentication options, which may not be supported natively by applications.

Join Our Communities!

This playbook is iterative and agencies are encouraged to collaborate, share best practices, and lessons learned. Join the committee or community of practice linked below to learn and engage in single sign-on. 

Join the Identity, Credential, and Access Management subcommittee (ICAMSC)